Free public file-sharing sites – not recommended

The Technology Committee does not recommend the use of free services provided to the public by file-sharing sites for the sharing or distribution of client information.

Technology 02/09/2016

The Technology Committee does not recommend the use of free services provided to the public by file-sharing sites for the sharing or distribution of client information. 

If clients insist on the use of such sites, they should be made aware that such free services generally do not provide sufficient contractual assurances to enable practitioners to discharge their obligations to clients and that they are not recommended by the Law Society’s Technology Committee.

A number of such file-sharing sites also offer paid versions for use by businesses. These versions may offer better contractual conditions, but they should be used with caution and only after solid evaluation and a robust examination of their capabilities prior to professional use.

Sample questions for file-sharing

  1. Is the electronic storage medium capable of storing the documentation in a durable, accessible, secure manner for as long as the statutory or regulatory periods require? See Technology Committee guidance.
  2. What are the back-up and archiving arrangements? Back-up services often put data into the hands of end users.
  3. What are the provisions for delete and restore?
  4. What is the termination policy of file-sharing sites?
  5. Do the terms of service provide for permanent deletion?
  6. Is the data permanently deleted or transferred completely to you? What does ‘permanently deleted’ even mean? Unless there is a clause stating that the file is permanently deleted and that the permanent deletion of a file will not allow you or the file-sharing provider to restore these files at a later date, then there are still risks that the file can be subsequently recovered and used. Sites offer the recovery of deleted files with periods of recovery ranging from six months to one year. However, this does not mean that, after one year, the data has completely been wiped out. This just means that the file-sharing provider is no longer obliged to provide you with a restore service.
  7. Will it be possible to export or reproduce onto paper the content of any electronically stored material? What is the format of the material for future availability and accessibility?
  8. Have you consulted with your insurer on the acceptability of electronic storage of client files and documents in the event of a claim against the solicitor?
  9. Who is in control of the data? Is it the client or solicitor or the file-sharing service provider?
  10. Do the terms of service allow for disclosure of data to third parties? Does disclosure to third parties, if reasonably necessary:
    • Comply with the law?
    • Protect any person from death or serious bodily injury, with permissible exceptions under Irish data protection (section 8)?
    • Others might be to prevent fraud or abuse of service or its users, or to protect a service’s property rights.
  11. Do the terms of service allow collection of information, as follows:

    • From and about the devices you use to access their services?
    • IP addresses, the type of browser and device you use, the web page you visited before coming to sites, and identifiers associated with your devices?
    • Your devices (depending on their settings) may also transmit location information to the services.
  12. Do the terms of service allow the service to use third parties to “improve, protect, and promote our services”? Who are these third parties?
  13. How reliable is the company providing the service? Have you considered a locally based file-sharing service provider cloud provider? The New Zealand Law Society, in its practice briefing, Cloud Computing Guidelines for Lawyers, recommends using a local provider, as they are easier to negotiate a policy with, and terms of service that meet your needs and requirements.
  14. What is the stability of the file-sharing service provider?
    • Are they contractually obliged to inform in advance of structural changes in the business?
    • Are you able to terminate your contract due to ownership changes?
    • What happens if your data cannot be held in the event of the winding-up of the company?
    • Can the provider suspend service without prior notice?
  15. Where is the data stored? Where are the storage servers and data centres? Obviously, there are different data protection laws, standards and regulations depending on the jurisdiction.
  16. Does the service allow for shareable links? When a user creates a shareable link in some services, anyone with that link can access the data. They don’t have to be a registered user of the service to access a shared link. If you’re using the business version of a file-sharing service, then there is usually a security setting available to restrict access to shared links.
  17. How is the data secured/encrypted?
  18. What is the agreement with the client around authentication and authorisation policies?
  19. Who can access what, and in what scenarios?
  20. Can you control:
    • Who is allowed to access a document?
    • How a file can be viewed or duplicated, including the ability to allow or block printing, editing, copying and forwarding?
    • The setting of expiration dates or revoking permission to view a document at will?
    • Can you create an audit trail of where documents were viewed, on which devices, and at what times?
    • Can you embed security into the documents, so that documents downloaded to a device that is later lost or stolen will be unreadable to anyone except authorised users?